What's New in Aspire 13.4.5
Patch release for Aspire 13.4 clearing a transitive MessagePack security advisory, tightening CLI validation for Playwright configuration, and adding coding-agent detection to CLI telemetry.
๐ Fixes
- ๐ก๏ธ Bumped StreamJsonRpc to 2.25.29 to clear the MessagePack GHSA-hv8m-jj95-wg3x (CVE-2026-48109) NU1903 advisory โ The transitive MessagePack 2.5.192 dependency pulled in via StreamJsonRpc 2.22.23 fell within the advisory's vulnerable LZ4 decompression range. Aspire does not use
MessagePackFormatteror LZ4 โ all StreamJsonRpc calls useSystemTextJsonFormatterover local Unix sockets โ so the vulnerability was not reachable in practice. The bump clears the NU1903 warning for consumers of theAspire.Hostingpackage. (#18204,@mitchdenny) - ๐ญ
playwrightCliVersionvalues that are not valid SemVer 2.0 now fail fast with a clear diagnostic โ Previously an invalid override (range expression, dist-tag likelatest, or av-prefixed string) would surface as a generic npm resolution failure. The value is now validated with strict SemVer parsing at startup; an error naming the configuration key and the offending value is emitted immediately. (#18205,@mitchdenny) - ๐ค CLI telemetry now detects and reports the calling coding agent โ When the Aspire CLI is invoked from inside a known coding agent environment (GitHub Copilot CLI, VS Code Copilot agent, etc.) the agent name is included in the main CLI telemetry event. GitHub Copilot CLI is specifically identified as
copilot-cli. (#18240,@damianedwards)
๐ท๏ธ Housekeeping
- ๐ Refreshed the
@microsoft/aspire-clinpm package README to be TypeScript-only โ updated examples to the currentts-startertemplate (apphost.mts/aspire.mjs), added a backing-services snippet showingaspire addfor PostgreSQL and Redis, and documentedaspire dashboard runas a standalone dashboard option. (#18221,@adamint)
Full Changelog: v13.4.4...v13.4.5
Full commit: 73114e86c64aeb9f3f3c7da8e37df1ae4281b27e
Generated by Generate release notes for a new stable Aspire release ยท โ 4.4M